Malware Attack Adds Illegal Files to Mozilla Firefox

Recently, security firm Webroot announced that Mozilla Firefox has been subjected to a malware attack that employs a code hijack to add an illegal series of dropped files to the web browser's profile. This attack code is a Trojan Dropper Headshot based code.

Explaining the matter, Andrew Brandt, Threat Manager, stated that, during September 2010 he published an item regarding a dropper called as Trojan-Dropper-Headshot. This type of malware, distributes everything (including even unnecessary things) when it damages a computer, and includes large number of payloads, any of which on their own amount to a dangerous threat, as reported by Infosecurity on November 8, 2010. He further added that these attacks were terrible.

Brandt further stated that his research team has also found that the malware has added one more interesting installer to its list of infections: a small executable called seupd.exe, which makes two small (but obnoxious) alterations to Firefox.

Brandt adds that, these alterations modifies the behavior of Firefox's search bar, a small box that allows users to send inquiries straight away to the search engines, situated to the right of the Address Bar.

Brandt states that these alterations are not instantly visible unless the user attempts to search Google for some information, with the help of Address Bar or the Search Box. Rather than submitting the user's search keyword to Google, the web browser sends search keywords to one of the six variant domains not owned by Google, but which seem to utilize the Google API to display results and, apparently, earn some ad income.

The alterations append a file named user.js to the presently logged-in user's Firefox profile. Although occurrence of such kind of a is not essentially a signal of infection, in this situation, the user.js file includes instructions that inform the web browser where to send search queries, in case when users has set 'Google' as the default search engine.

Additionally, the Trojan adds a file called google_search.xml into the search plug-ins directory under the Firefox's program files directory, and removes the google.xml file that is usually located there.

The researcher winds up by saying that these attacks are very complicated.